Cleanup formatting and add SG ingress rule to EC2 from ALB

Author: burmek

comet-infrastructure/main.tf

@@ -36,7 +36,8 @@ module "comet_ec2" {
   comet_ec2_volume_size    = var.comet_ec2_volume_size
   comet_ec2_key            = var.comet_ec2_key
 
-  alb_enabled = var.enable_ec2_alb
+  alb_enabled      = var.enable_ec2_alb
+  comet_ec2_alb_sg = var.enable_ec2_alb ? module.comet_ec2_alb[0].comet_alb_sg : null
 
   s3_enabled              = var.enable_s3
   comet_ml_s3_bucket      = var.s3_bucket_name

comet-infrastructure/modules/comet_ec2/main.tf

@@ -173,7 +173,6 @@ resource "aws_vpc_security_group_ingress_rule" "comet_ec2_ingress_ssh" {
   from_port   = local.ssh_port
   to_port     = local.ssh_port
   ip_protocol = "tcp"
-  # make more restrictive
   cidr_ipv4 = local.cidr_anywhere
 }
 
@@ -183,7 +182,6 @@ resource "aws_vpc_security_group_ingress_rule" "comet_ec2_ingress_http" {
   from_port   = local.http_port
   to_port     = local.http_port
   ip_protocol = "tcp"
-  # make more restrictive
   cidr_ipv4 = local.cidr_anywhere
 }
 
@@ -193,20 +191,18 @@ resource "aws_vpc_security_group_ingress_rule" "comet_ec2_ingress_https" {
   from_port   = local.https_port
   to_port     = local.https_port
   ip_protocol = "tcp"
-  # make more restrictive
   cidr_ipv4 = local.cidr_anywhere
 }
 
-/*
 resource "aws_vpc_security_group_ingress_rule" "comet_ec2_alb_http" {
+  count             = var.alb_enabled ? 1 : 0
   security_group_id = aws_security_group.comet_ec2_sg.id
 
-  from_port   = local.http_port
-  to_port     = local.http_port
-  ip_protocol    = "tcp"
-  security_groups = [var.comet_ec2_alb_sg.id]
+  from_port                    = local.http_port
+  to_port                      = local.http_port
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = var.comet_ec2_alb_sg
 }
-*/
 
 resource "aws_vpc_security_group_egress_rule" "comet_ec2_egress_any" {
   security_group_id = aws_security_group.comet_ec2_sg.id

comet-infrastructure/modules/comet_ec2/variables.tf

@@ -65,4 +65,9 @@ variable "comet_ml_s3_bucket" {
 variable "comet_ec2_s3_iam_policy" {
   description = "Policy granting access to Comet S3 bucket"
   type        = string
+}
+
+variable "comet_ec2_alb_sg" {
+  description = "ID of the security group attached to an associated application load balancer, for creating ingress EC2 SG rule"
+  type        = string
 }

comet-infrastructure/modules/comet_ec2_alb/outputs.tf

@@ -1,4 +1,9 @@
 output "alb_dns_name" {
   description = "DNS name of the ALB"
   value       = module.alb.lb_dns_name
+}
+
+output "comet_alb_sg" {
+  description = "ID of the security group created for the ALB"
+  value       = aws_security_group.comet_alb_sg.id
 }